Christian Folini | 21 Aug 10:26 2015
Picon

Alien cookies arriving at wrong place

Hi there,

This issue has troubled me for some time now, but I successfully
denied its existence. However, I need to take action now and I am
looking for thoughts or experiences.

Say I run example.com and I try to lock it down really hard.
It's a mid-sized site with a couple of million requests
per month. Among those requests, I have a handful of seemingly
legitimate requests by authenticated users with alien cookies 
triggering all sort of core rules. By alien cookies I mean
cookies that have not been issued by my site. At least I would
be totally unaware of the mechanism.

Two cookies I found in the logs this morning:
http://cookiepedia.co.uk/cookies/TrovitRef
http://cookiepedia.co.uk/cookies/GAMSUK

Tomorrow there will be different cookies. There is just no
telling, what will hit the site next.

Can anybody tell me how these cookies end up in requests addresses
to example.com - and what would you guys do about it?

Cheers,

Christian

--

-- 
If it could be proved that two plus two is five, then it could be 
(Continue reading)

Sophie Loewenthal | 20 Aug 14:26 2015

Collections_remove_stale: Failed deleting collection

Hi,

     I installed some rules for rate limiting was concerned by a message 
in  modsec_audit.log.

My question: What does this error message really mean?

Message: collections_remove_stale: Failed deleting collection (name 
"ip", key "213.56.235.241_ef6e1e02a3981d38a7faf3db672aa4a4bf7cb53c"): 
Internal error

Some additional notes
I thought this may be related to /var/lib/mod_security/ip.pag or 
user.pag. So, I installed modsec-sdbm-util to see if this dB needed 
shrinking periodically, was fragmented or should be emptied ( e.g > 
ip.pag ) and still saw the messages.

  # modsec-sdbm-util -s ip.pag
Opening file: ip.pag
Database ready to be used.
  [\] 720 records so far.
Total of 726 elements processed.
0 elements removed.
Expired elements: 6, inconsistent items: 0
Fragmentation rate: 0.83% of the database is/was dirty data.

  # modsec-sdbm-util -s user.pag
Opening file: user.pag
Database ready to be used.
  [-] 790 records so far.
(Continue reading)

Sophie Loewenthal | 19 Aug 09:49 2015

modsec-sdbm-util trying to compile

Hi,

     I've noticed our *.pag fiels grow too large and would like to trim 
this down with modsec-sdbm-util.
However I cannot see how I should compile this.

I ran the autogen.sh and created some m4 files. gcc on the .c file 
failed.  Are there some options to gcc I should use?

# ./autogen.sh
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'

  gcc  modsec-sdbm-util.c
modsec-sdbm-util.c:24:17: error: apr.h: No such file or directory
modsec-sdbm-util.c:25:23: error: apr_errno.h: No such file or directory
modsec-sdbm-util.c:26:25: error: apr_general.h: No such file or directory
modsec-sdbm-util.c:27:22: error: apr_want.h: No such file or directory
modsec-sdbm-util.c:28:27: error: apr_allocator.h: No such file or directory
modsec-sdbm-util.c:29:22: error: apr_sdbm.h: No such file or directory
modsec-sdbm-util.c:58: error: expected ‘)’ before ‘*’ token
modsec-sdbm-util.c:94: error: expected ‘)’ before ‘*’ token
modsec-sdbm-util.c:177: error: expected ‘)’ before ‘*’ token
modsec-sdbm-util.c:183: error: expected ‘)’ before ‘*’ token
(Continue reading)

Pedro Paiva | 17 Aug 21:47 2015
Picon

ModSecurity 2.9.0 is compatible with CentOs 7 ?

Friends, I am trying to install waf in version 2.9 and I would like to know 
if it is compatible with version 7 of CentOS. If anyone can answer'll be 
very grateful. 
Thanks.
Pedro
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Anish | 14 Aug 11:04 2015

Modsecurity 2.9 - file inspect rule not working

Hi,

Recently the mod_security in my server was updated from version 2.8 to 
2.9, after this the file inspection rule does not invoke the scanner script.

rule conf
========================
SecRule FILES_TMPNAMES " <at> inspectFile /etc/httpd/scripts/scanner.pl" 
"phase:2,t:none,log,deny,msg:'Malicous File Attachment 
Identified.',id:121314"
SecRule FILES " <at> rx (\.sh|\.pl|\.php)$" 
"phase:2,t:none,log,deny,msg:'Malicous File Attachment 
Identified.',id:121356"
========================

The script worked fine while I was using mod_security 2.8, now the 
script is not triggered at all. The debug log however is showing that 
the inspection rule returned 0.

Debug log
==========================
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] Recipe: 
Invoking rule 7fb77d7e4368; [file 
"/etc/httpd/conf/modsecurity.d/upload_scanner.conf"] [line "1"] [id 
"120056"].
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][5] Rule 
7fb77d7e4368: SecRule "FILES_TMPNAMES" " <at> inspectFile 
/etc/httpd/scripts/scanner.pl" 
"phase:2,auditlog,t:none,log,deny,msg:'Malicous File Attachment 
Identified.',id:120056"
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] Rule 
returned 0.
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] Recipe: 
Invoking rule 7fb77d7e67b0; [file 
"/etc/httpd/conf/modsecurity.d/upload_scanner.conf"] [line "2"] [id 
"129056"].
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][5] Rule 
7fb77d7e67b0: SecRule "FILES" " <at> rx (\\.sh|\\.pl|\\.php)$" 
"phase:2,auditlog,t:none,log,deny,msg:'Malicous File Attachment 
Identified.',id:129056"
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] 
Transformation completed in 4 usec.
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] 
Executing operator "rx" with param "(\\.sh|\\.pl|\\.php)$" against 
FILES:file.
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] Operator 
completed in 1044 usec.
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][4] Rule 
returned 1.
[11/Aug/2015:08:04:00 --0400] 
[domain.com/sid#7fb77e7d0f80][rid#7fb77f373348][/upload.php][1] Access 
denied with code 403 (phase 2). Pattern match "(\\.sh|\\.pl|\\.php)$" at 
FILES:file. [file "/etc/httpd/conf/modsecurity.d/upload_scanner.conf"] 
[line "2"] [id "129056"] [msg "Malicous File Attachment Identified."]
==========================

The second rule in the configuration is working fine, as you can see in 
the debug log.
Anyone else facing the same issue?

Any help in this matter would be greatly appreciated.

Thanks,
Anish

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Hiba Alamin | 13 Aug 12:06 2015
Picon

modsecurity with arabic language

hi

I installed modsecurity-2.9 on centos6, There are some questions I need to ask

  •  the website written in arabic language.  modescurity block the url cause its includes arabic letter, how can I define the arabic letter to modsecurity specially that all the content written in arabic

 below sample of the logs
go=%D8%AF%D8%AE%D9%80%D9%80%D9%80%D9%88%D9%84+%D8%A7%D9%84%D9%86%D8%B8%D9%80%D9%80%D9%80%D8%A7%D9%85
--b78cd048-F--
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1
--b78cd048-H--
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:go. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: \xd8\xaf\xd8\xae\xd9\x80\xd9\x80\xd9\x80\xd9\x88\xd9\x84 \xd8\xa7\xd9\x84\xd9\x86\xd8\xb8\xd9\x80\xd9\x80\xd9\x80\xd8\xa7\xd9\x85 found within ARGS:go: \xd8\xaf\xd8\xae\xd9\x80\xd9\x80\xd9\x80\xd9\x88\xd9\x84 \xd8\xa7\xd9\x84\xd9\x86\xd8\xb8\xd9\x80\xd9\x80\xd9\x80\xd8\xa7\xd9\x85"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1439454979429226 2026 (- - -)
\xd9\x80\xd9\x80\xd9\x88\xd9\x84 \xd8\xa7\xd9\x84\xd9\x86\xd8\xb8\xd9\x80\xd9\x80\xd9\x80\xd8\xa7\xd9\x85"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Action: Intercepted (phase 2)

  • Also there are some error fill the log file, how to avoid this error   [ Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed  by policy"] [data "OPTIONS"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCT C/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] ]




<!-- .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 12pt; font-family:Calibri } -->
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ehsan Mahdavi | 13 Aug 09:10 2015
Picon

someone please answer this question

Hi all

For god's sake some one please tell me how to use mlogc with nginx!

Am trying to use modsecurity with nginx.

Thanks
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Flack Maguire | 4 Aug 19:25 2015
Picon

Re: mod-security-users Digest, Vol 111, Issue 3

Thank you Chaim.  Exactly what I needed to know.  As a note, we were already planning on white listing the search bots we find pertinent.  And, good point on not making the IP's a permanent ban.  And, yes, we are focused on unsolicited requests.  We are fortunate to have this particular server used in such a specific manner that we can view a lot of behavior outside a small range of specific ways of approaching the server as just malicious attempts.  Not sure how much of this is really that necessary.  It falls more in the 'it can't hurt' category.  

I had been looking into the thought of using Fail2Ban so I guess I know have that much more of a reason to implement it.  Thanks again for all the help.

Cheers,
Flack


 
Message: 2
Date: Tue, 4 Aug 2015 02:51:04 +0000
From: Chaim Sanders <CSanders <at> trustwave.com>
Subject: Re: [mod-security-users] Use some specific ports along the
        lines   as      Honeypots
To: "mod-security-users <at> lists.sourceforge.net"
        <mod-security-users <at> lists.sourceforge.net>
Message-ID:
        <BY1PR0701MB1112897245C119F021244E85DB760 <at> BY1PR0701MB1112.namprd07.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

In general you can disable ports AND track who hits them while scanning. Remember from your networking fundamentals that your server will just send a RST instead of an SYN/ACK (for TCP). In general as much as I LOVE ModSec, your best way to do this is via IPTables or something like fail2ban. We at Trustwave in fact generate daily malicious IPs based on such things as well as a multitude of honeypots we run. This is distributed with the commercial rules but there is nothing stopping you from generating these daily yourself. Keep in mind that the nature of the internet says you might not want to blacklist IP?s forever. In general the practice you are describing is banning IP?s based on unsolicited requests? overall this may be fine?. But be wary of things like search bots ?.

Chaim Sanders
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: Flack Maguire [mailto:flack <at> flackmaguire.net]
Sent: Monday, August 3, 2015 10:14 PM
To: Mod Security Email Discussion List
Subject: [mod-security-users] Use some specific ports along the lines as Honeypots

We have a server being used in a very specific way with a bunch of WordPress microsites for educational experiences for youth.  The logins to WordPress are specifically controlled by us as well as all other details on the server.  What I mean here is that we are not providing hosting to others where we might have to support a wide array of possible use cases.  And, we are turning off email, FTP, etc along with some custom best practice configurations on SSH.

These means that we have a number of ports that are commonly used for things like SSH and FTP which we are not using at all.  The obvious option here is that we can turn off those ports.

But, it would seem that we might even get better/faster response to just IP block any IP that seeks to access one of those ports.  We immediately know that anyone trying to access one of those ports is not friendly.  The following link provides one way we think we could do this:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Setting-HoneyTraps-with-ModSecurity--Unused-Web-Ports/

I have a two layer question.  The first layer is seeking to just strictly ask if this is technically the best way to do this.  Again, we want a configuration that works like, for example, some IP address hits port 22 that is the typical default for SSH.  When this happens, that IP address is automatically added to the ban IP address.  We already have the actual port for SSH on another custom address as well as a number of other measures for securing SSH.

The second layer to my question is more conceptual.  Do others consider this is a wise practice?  Again, we know that we could just turn off the ports.  And, we equally know that people manipulate IP addresses all the time.  The thinking here goes that we might as well just immediately black an IP addresses hitting one of these ports in case they hit again or try other ports from the same IP knowing that almost all of this is happening according to the hackers automated scripts.

As a side note, it goes without saying that we are keeping all the important access IP addresses on a white list.  We recognize that people could try to spoof one of our good access IP addresses and so ban ourselves from the server.

Thanks for any advice.

Cheers,
Flack


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------


------------------------------

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users


End of mod-security-users Digest, Vol 111, Issue 3
**************************************************

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Flack Maguire | 4 Aug 04:14 2015
Picon

Use some specific ports along the lines as Honeypots

We have a server being used in a very specific way with a bunch of WordPress microsites for educational experiences for youth.  The logins to WordPress are specifically controlled by us as well as all other details on the server.  What I mean here is that we are not providing hosting to others where we might have to support a wide array of possible use cases.  And, we are turning off email, FTP, etc along with some custom best practice configurations on SSH.

These means that we have a number of ports that are commonly used for things like SSH and FTP which we are not using at all.  The obvious option here is that we can turn off those ports.

But, it would seem that we might even get better/faster response to just IP block any IP that seeks to access one of those ports.  We immediately know that anyone trying to access one of those ports is not friendly.  The following link provides one way we think we could do this:

I have a two layer question.  The first layer is seeking to just strictly ask if this is technically the best way to do this.  Again, we want a configuration that works like, for example, some IP address hits port 22 that is the typical default for SSH.  When this happens, that IP address is automatically added to the ban IP address.  We already have the actual port for SSH on another custom address as well as a number of other measures for securing SSH.

The second layer to my question is more conceptual.  Do others consider this is a wise practice?  Again, we know that we could just turn off the ports.  And, we equally know that people manipulate IP addresses all the time.  The thinking here goes that we might as well just immediately black an IP addresses hitting one of these ports in case they hit again or try other ports from the same IP knowing that almost all of this is happening according to the hackers automated scripts.

As a side note, it goes without saying that we are keeping all the important access IP addresses on a white list.  We recognize that people could try to spoof one of our good access IP addresses and so ban ourselves from the server.  

Thanks for any advice.

Cheers,
Flack

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Mindaugas Bernatavičius | 1 Aug 05:25 2015

ModSecurity v3 and ModSecurity-nginx

Hi Folks, 

Just found out about ModSec v3 - very exciting stuff.

Can anyone share thoughts on approximate schedules when ModSecurity v3 and / or ModSecurity-nginx are planed to be in production ready state?

A month, half a year, a year?

Thank you,
Mindaugas Bernatavičius  
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Hermann Schwärzler | 31 Jul 10:55 2015
Picon

Deny with status 429 not possible?

Hi everybody,

we are having a problem with a badly written web-application, that
consumes all of the connections of its database pool because a crawler
is hitting it too fast.
As neither the developer of the app is reachable nor the crawler is
able/willing to slow down within the next days I wrote some mod_security
rules to allow only every 4th request coming from the crawler.

So far so good. That works perfectly and I am glad to have mod_security
installed!

I tried to deny the requests with an HTTP-status of
"429 Too Many Requests"
by adding "deny,status=429" to the corresponding rule.

In the apache error_log I see
 ModSecurity: Access denied with code 429 (phase 2).
But in the access_log and on the client I get a response code of 500.

Why is the response code changed to 500?

I am using
ModSecurity for Apache/2.8.0
 APR compiled version="1.3.9"; loaded version="1.3.9"
 PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
 LUA compiled version="Lua 5.1"
 LIBXML compiled version="2.7.6"

on a server with
Red Hat Enterprise Linux Server release 6.6 (Santiago)

Greetings
Hermann

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane